internal/report: fix bug in CVE5 generation

Fixes a bug in which incorrect version ranges were sometimes generated
when converting reports to CVE5. The bug happens when operating on a report
with no fixed version.

The problem is that the CVE JSON 5.0 format only allows version ranges
of the form "versions X to Y are affected", "versions X to Y are NOT affected"
or "version X is affected".

It does not directly allow the statement "version X and above are affected" - this must be expressed as "version 0 through X are unaffected, all others are affected". This change allows that to be expressed.

This bug became clear when we published GO-2023-2328. The CVE for that report
is also re-generated as a part of this change.

Change-Id: I0c61168581d65b13850d3a763a3300c04594b84c
LUCI-TryBot-Result: Go LUCI <>
Reviewed-by: Damien Neil <>
3 files changed
tree: 2a924003e4cbcfc22b46190f3c79bfa5d55bb047
  1. .github/
  2. cmd/
  3. data/
  4. deploy/
  5. devtools/
  6. doc/
  7. internal/
  8. terraform/
  9. webconfig/
  10. .gitignore
  11. all_test.go
  12. checks.bash
  14. go.mod
  15. go.sum
  19. tools_test.go

The Go Vulnerability Database

Go Reference

This repository contains the infrastructure and internal reports to create the Go Vulnerability Database.

Check out for more information about the Go vulnerability management system.

Reporting a vulnerability or feedback

Click here to report a public vulnerability in the Go ecosystem, or give feedback about the project.

Privacy Policy

The privacy policy for govulncheck can be found at


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries are distributed under the terms of the CC-BY-4.0 license. See for information on how to access these entries.